@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

What? How can they install something? They dont' have admin rights, right?

See bold text. And yes, I know. Beyond my control.

If you have end users acting as admins, then a powerful central AV is way more important and doing things potentially beyond standard AV functions that are making more of a difference for you.

That's my take on it as well. My users are mostly excellent, they rarely do dumb things. In fact, they often call me over to look at stuff they deem suspect, and it makes me smile to know they stopped to think first. But I sleep better knowing webroot is there.

@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

What? How can they install something? They dont' have admin rights, right?

See bold text. And yes, I know. Beyond my control.

If you have end users acting as admins, then a powerful central AV is way more important and doing things potentially beyond standard AV functions that are making more of a difference for you.

That's my take on it as well. My users are mostly excellent, they rarely do dumb things. In fact, they often call me over to look at stuff they deem suspect, and it makes me smile to know they stopped to think first. But I sleep better knowing webroot is there.

Even IT people should not be local admins. It's partly about doing something dumb, but things can happen accidentally, too.

@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

What? How can they install something? They dont' have admin rights, right?

See bold text. And yes, I know. Beyond my control.

Wow!

Why do they need local admin? because shitty applications? will they allow you to try to make solutions to that? There was a recent thread around here about that - getting an app to run as admin, though the user doesn't know the admin password.

My understanding is that our internal application and CRM need local admin rights. Poor design? Yes. But as the product advances, and as large potential customers scoff at things like that (also CRM only works in IE), things are slowly changing for the better.

@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

What? How can they install something? They dont' have admin rights, right?

See bold text. And yes, I know. Beyond my control.

Wow!

Why do they need local admin? because shitty applications? will they allow you to try to make solutions to that? There was a recent thread around here about that - getting an app to run as admin, though the user doesn't know the admin password.

My understanding is that our internal application and CRM need local admin rights. Poor design? Yes. But as the product advances, and as large potential customers scoff at things like that (also CRM only works in IE), things are slowly changing for the better.

We had a dev here a year ago or so that was able to get the CRM fully working in chrome, but it was an unofficial feature. So I know it can be done.

I can't believe you're getting new customers.

Haven't for a while, hopefully they fix that. We make software for property tax assessment... so not exactly the bleeding edge of technology in those government offices. I just recently shut down the last XP machine - its only purpose was for running a really old version of TeamViewer to support them. Super poor county with no means or desire to upgrade beyond that old TV and XP.

@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

What? How can they install something? They dont' have admin rights, right?

There are a lot of things that you can "install" (using install in the light sense) that can include ransomware, that doesn't require admin rights, as we saw at a now customer over the last few days. It was an end user account with access to the main document store that ransomed everything.

of course - I know this. I truly detest Google because Google Chrome and Chromium can be installed without local admin rights... and many programs can just run without the need for local admin - and yeah, infect, encrypt whatever it wants.

@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

What? How can they install something? They dont' have admin rights, right?

See bold text. And yes, I know. Beyond my control.

If you have end users acting as admins, then a powerful central AV is way more important and doing things potentially beyond standard AV functions that are making more of a difference for you.

That's my take on it as well. My users are mostly excellent, they rarely do dumb things. In fact, they often call me over to look at stuff they deem suspect, and it makes me smile to know they stopped to think first. But I sleep better knowing webroot is there.

Even IT people should not be local admins. It's partly about doing something dumb, but things can happen accidentally, too.

I have this conversation all the time. "I'd never be an admin on my own box, so if the system admin wouldn't do it, why are the end users?"

@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

What? How can they install something? They dont' have admin rights, right?

See bold text. And yes, I know. Beyond my control.

If you have end users acting as admins, then a powerful central AV is way more important and doing things potentially beyond standard AV functions that are making more of a difference for you.

That's my take on it as well. My users are mostly excellent, they rarely do dumb things. In fact, they often call me over to look at stuff they deem suspect, and it makes me smile to know they stopped to think first. But I sleep better knowing webroot is there.

Even IT people should not be local admins. It's partly about doing something dumb, but things can happen accidentally, too.

I have this conversation all the time. "I'd never be an admin on my own box, so if the system admin wouldn't do it, why are the end users?"

And I'm not, my desktop account right now isn't the local admin.

I made this change for myself about 8 years ago.. later than it should have been.. but meh, at least I did it.

#3 is why I like webroot. Easy central control. Can you get any kind of management console for windows defender without giving MS a bunch more money?

You can make your own, but that's the same as spending money (basically.) The nice thing about Defender is that you rarely need central control. If that's something you need, then Defender is weak today. But rarely have we found a need for that.

The console is mostly to see who did something stupid so I can say "hey, don't do that shit".

But again, I ask - to what end? it's not likely the company will fire them if they do it again, or do it 10 more times. So why waste your breath? As an IT person I want to help people be safer on the internet, etc - but I've come around to realize that unless I'm the dictator - that's simply not a priority in most companies - and I just need to LET IT GO.

Why waste your time telling people not to do something? Then why train them with security awareness, like KnowBe4, as you brought up?

So that extension is pretty basic. It also says "preview", so hopefully they will add some more functionality later. As of now, it only shows status and threat history, and to see that you have to go into each system's page and click on security. Totally bare bones, but at least you can get defender info from a semi-centralized interface.

#3 is why I like webroot. Easy central control. Can you get any kind of management console for windows defender without giving MS a bunch more money?

You can make your own, but that's the same as spending money (basically.) The nice thing about Defender is that you rarely need central control. If that's something you need, then Defender is weak today. But rarely have we found a need for that.

The console is mostly to see who did something stupid so I can say "hey, don't do that shit".

But again, I ask - to what end? it's not likely the company will fire them if they do it again, or do it 10 more times. So why waste your breath? As an IT person I want to help people be safer on the internet, etc - but I've come around to realize that unless I'm the dictator - that's simply not a priority in most companies - and I just need to LET IT GO.

Why waste your time telling people not to do something? Then why train them with security awareness, like KnowBe4, as you brought up?

Oh, that's not the same at all. Training hopefully will be accepted and integrated - but simply telling - so often just goes unheard.

While there shouldn't be a difference, the end person often sees a HUGE difference - one being that the company actually values educating the company as a whole, not just a chastising of someone for something something wrong/bad/etc.

All of the training in the world won't stop a sophisticated attack. Users are a great way to prevent a lot of the lowly attacks, but attacks from state actors or people who are targeting the business will, eventually be successful.

AV is a frontline, along with user training and awareness. It's not a bullet proof shield.

All of the training in the world won't stop a sophisticated attack. Users are a great way to prevent a lot of the lowly attacks, but attacks from state actors or people who are targeting the business will, eventually be successful.

AV is a frontline, along with user training and awareness. It's not a bullet proof shield.

neither will any AV - so in that case, they both do nothing really, against state actors. I consider actual education much more valuable in a case against state actors - because the goal there often is to get the user to do something wrong... IF it can be seen by the user - it will be stopped.... if it's a zero day - the AV likely won't do squat.

But neither would the user. As a lot of zero day's are all behind the scenes. Or things that are so ingrained in the day to day that a user doing nothing abnormal is exposed via the same process, but because of a malicious actor.

But neither would the user. As a lot of zero day's are all behind the scenes. Or things that are so ingrained in the day to day that a user doing nothing abnormal is exposed via the same process, but because of a malicious actor.

in most spearphishing attacks, the user has to initiate the contact - by clicking a link, etc. So, yes.. training can make the suspicious and possibly prevent them from clicking the link.

But neither would the user. As a lot of zero day's are all behind the scenes. Or things that are so ingrained in the day to day that a user doing nothing abnormal is exposed via the same process, but because of a malicious actor.

in most spearphishing attacks, the user has to initiate the contact - by clicking a link, etc. So, yes.. training can make the suspicious and possibly prevent them from clicking the link.

Is most spearphising you're seeing of the zero-day variety? The kind I'm seeing are of the "yup, we know about it and AV killed it, and our user notified us of it before clicking on the link anyways" varietal.

But neither would the user. As a lot of zero day's are all behind the scenes. Or things that are so ingrained in the day to day that a user doing nothing abnormal is exposed via the same process, but because of a malicious actor.

in most spearphishing attacks, the user has to initiate the contact - by clicking a link, etc. So, yes.. training can make the suspicious and possibly prevent them from clicking the link.

Is most spearphising you're seeing of the zero-day variety? The kind I'm seeing are of the "yup, we know about it and AV killed it, and our user notified us of it before clicking on the link anyways" varietal.

yeah, but in your case - the training was still the first to kick in - not the AV, that is assuming the training/user didn't fail. Of course if it did - which is the only reason the AV would be 'stopping' something.. then in that case, because not zero day - the av worked.

But - as Scott already said - the idea here isn't to be rid of AV, because Windows comes with a decent AV already included...

It more about it is better to buy the centralized console for AV or instead spend the money on training/update management solution?

The current price of Webroot is cheaper than us billing time to nuke and setup machines a couple times a year.

Agreed that Webroot would be way cheaper than doing that. But not having Webroot, I've not seen anyone getting infected like that.

If infections happened that often, and if Webroot would stop it, then absolutely that's a great deal. But without Webroot, but with proper setup otherwise (not running as admin, using Defender, etc.) we don't see but the rarest of infections.

All of the training in the world won't stop a sophisticated attack. Users are a great way to prevent a lot of the lowly attacks, but attacks from state actors or people who are targeting the business will, eventually be successful.

But neither would the user. As a lot of zero day's are all behind the scenes. Or things that are so ingrained in the day to day that a user doing nothing abnormal is exposed via the same process, but because of a malicious actor.

in most spearphishing attacks, the user has to initiate the contact - by clicking a link, etc. So, yes.. training can make the suspicious and possibly prevent them from clicking the link.

But - as Scott already said - the idea here isn't to be rid of AV, because Windows comes with a decent AV already included...
It more about it is better to buy the centralized console for AV or instead spend the money on training/update management solution?

Exactly, disabling all AV just to prove a point is silly. It really is about which kind of AV makes sense.